Unable to import azurerm_pim_eligible_role_assignment resources

[MohnJadden]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.3

AzureRM Provider Version

3.65.0

Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Terraform Configuration Files

variable "teams" {
  type = map(object({
    team_name            = string
    location             = string
    Owner                = string
    TechnicalContact     = string
    SecurityGroup        = string
    DepartmentName       = string
    City                 = string
    ApplicationGroupType = string
    ApplicationType      = string
    LoadBalancerType     = string
    VDIType = string
    MaximumSessions      = number
  }))
}

data "azurerm_subscription" "currentSubscription" {}

resource "azurerm_resource_group" "vdi-rg" {
  for_each = var.teams
  name     = "${each.value.team_name}-VDI"
  location = coalesce(each.value.location, each.key)
  tags = {
    Owner            = coalesce(each.value.Owner, each.key)
    TechnicalContact = coalesce(each.value.TechnicalContact, each.key)
    Location         = coalesce(each.value.City, each.key)
    DepartmentName   = coalesce(each.value.DepartmentName, each.key)
    TeamName         = coalesce(each.value.team_name, each.key)
  }
}
resource "azurerm_pim_eligible_role_assignment" "role-vdi-vmadminpim" {
    for_each             = var.teams
  scope                = "/subscriptions/subscriptionGUID/resourceGroups/${azurerm_resource_group.vdi-rg[each.key].name}"
  role_definition_id = "Virtual Machine Administrator Login"
  principal_id       = coalesce(each.value.SecurityGroup, each.key)
}

Debug Output/Panic Output

PS C:\Repos\Infra_Azure_Terraform_Source\Infra_Azure_Terraform_Source> terraform import --var-file=azureVDI.tfvars 'azurerm_pim_eligible_role_assignment.role-vdi-vmadminpim[\"Team2\"]' "/subscriptions/subscriptionGUID/resourecGroupName|/subscriptions/subscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4|securityGroupGUID"
data.azurerm_subscription.currentSubscription: Reading...
data.azurerm_subscription.currentSubscription: Read complete after 0s [id=/subscriptions/subscriptionGUID]
azurerm_pim_eligible_role_assignment.role-vdi-vmadminpim["Team2"]: Importing from ID "/subscriptions/subscriptionGUID/resourecGroupName|/subscriptions/subscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4|securityGroupGUID"...
azurerm_pim_eligible_role_assignment.role-vdi-vmadminpim["Team2"]: Import prepared!
  Prepared azurerm_pim_eligible_role_assignment for import
azurerm_pim_eligible_role_assignment.role-vdi-vmadminpim["Team2"]: Refreshing state... [id=/subscriptions/subscriptionGUID/resourecGroupName|/subscriptions/subscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4|securityGroupGUID]
╷
│ Error: listing role assignments on scope Role Management Policy: (Principal Id "securityGroupGUID" / Scope "/subscriptions/subscriptionGUID/resourecGroupName" / Role Definition Id "/subscriptions/subscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4"): loading results: unexpected status 404 with response: {"message":"No HTTP resource was found that matches the request URI 'https://management.azure.com/subscriptions/subscriptionGUID/resourecGroupName/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?%24filter=%28principalId+eq+%27securityGroupGUID%27+and+roleDefinitionId+eq+%27%2Fsubscriptions%2FsubscriptionGUID%2Fproviders%2FMicrosoft.Authorization%2FroleDefinitions%2F1c0163c0-47e6-4577-8991-ea5c82e286e4%27%29&api-version=2020-10-01'."}
│
│ listing role assignments on scope Role Management Policy: (Principal Id "securityGroupGUID" / Scope "/subscriptions/subscriptionGUID/resourecGroupName" / Role
│ Definition Id "/subscriptions/subscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4"): loading results: unexpected status 404 with  
│ response: {"message":"No HTTP resource was found that matches the request URI
│ 'https://management.azure.com/subscriptions/subscriptionGUID/resourecGroupName/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?%24filter=%28principalId+eq+%27securityGroupGUID%27+and+roleDefinitionId+eq+%27%2Fsubscriptions%2FsubscriptionGUID%2Fproviders%2FMicrosoft.Authorization%2FroleDefinitions%2F1c0163c0-47e6-4577-8991-ea5c82e286e4%27%29&api-version=2020-10-01'."}

Expected Behaviour

Terraform should import the PIM eligible role assignment into the state with the map value specified in [brackets]

Actual Behaviour

Terraform prepares to import the resource but then throws the 404 error shown above

Steps to Reproduce

1. Run terraform apply --var-file=azureVDI.tfvars (or other applicable tfvars file) with the above configuration
2. Terraform creates the resource group but times out when creating the PIM assignment - the resource group is successfully added to the state but the PIM assignments are not, even though the PIM assignments exist in Azure
3. Run terraform import --var-file=azureVDI.tfvars 'azurerm_pim_eligible_role_assignment.role-vdi-vmadminpim["Team2"]' "/subscriptions/subscriptionGUID/resourceGroupName|/subscriptions/subscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4|securityGroupGUID" , replacing the following:

• Replace Team2 with the key from the mapped variable - whatever key you want that failed to create from steps 1 and 2
• Replace subscriptionGUID with the ID of the subscription you're working with
• Replace resourceGroupName with the name of the Azure resource group created by TF in the config from steps 1 and 2

4. Error occurs

Important Factoids

No response

References

Issue #22588 covers the problem described in Steps to Reproduce 1 and 2

[wuxu92]

Hi @MohnJadden thanks for filing this issue. as you description it seems the role assignment has not been created success and an timeout error raised. so the import operation returned an error too becase the assignment resource cannot be found. I submitted a PR #22682 which tries to fix the timeout issue when wating the role assignment finish. could you please have a try again when this PR released to see if it fixes the issue?

[MohnJadden]

@wuxu92 I'd love to try it - pardon what may be a stupid question, but I don't do much operating in a devops world. Now that the PR is merged into main, do I need to wait for a new release of the azurerm provider or is there some method I should use to pick up the changes?

[wuxu92]

@MohnJadden you can wait a new release and then use the newer version. if it is a urgent task, you can build the latest main branch and then use a terraform cli configuration development-overrides-for-provider-developers to use the local plugin you built.

[MohnJadden]

The new release appears to have fixed something - I was able to import successfully. It wasn't easy to do so since the provider documentation doesn't account for Windows escape characters, nor is it easy to find documentation on how to import resources into mapped variables.

For anyone that's struggling, I was able to perform the import in Windows using the following format:

terraform import 'azurerm_pim_eligible-role_assignment.resource-name-here[\"MapValue\"]' "/subscriptions/subscriptionGUIDGoesHere/resourceGroup/resourceGroupNameGoesHere/|/subscriptions/subscriptionGUIDGoesHere/providers/Microsoft.Authorization/roleDefinitions/guidOfRoleDefinitionGoesHere|userOrGroupGUIDGoesHere"

This accounts for Windows escape characters, pipes, etc.

If the scope of the PIM assignment is a subscription and not resource groups, omit the resourceGroup/resourceGroupNameGoesHere from above.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.